-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Simple Text-File Login script (SiTeFiLo).
Copyright ©2004,2005,2006,2017 by Mario A. Valdez-Ramirez
(mario@mariovaldez.org).
(Read the license.txt file for details).


=========================================
* Requirements of the Simple Text-File Login script.

* PHP 4.1.x or higher. Your web server should be able to interpret
the PHP language. It really doesn't matter the platform (the SiTeFiLo
script has been tested in GNU/Linux with Apache and in Windows with IIS).

* PHP must have the option register_global disabled (the option is 
disabled by default since PHP 5.3 and doesn't exist since PHP 7).

* A web server (you already have one if you have a website). The
SiTeFiLo script has been tested with Apache and IIS, but it should
work with any web server.



=========================================
* Installation and configuration
  of the Simple Text-File Login script.

............................................
  Integration with your existing website.
............................................

1) Convert to PHP.
If you already have a web site with HTML pages, you need to convert
them to PHP files. You only need to change the .htm or .html
extension to .php. If everything is setup correctly in your server,
your pages should load normally.

2) Get the files.
Get the files from http://www.mariovaldez.net/software/sitefilo/
(There are zip and tar.gz files available).

3) Unpack.
Extract the files your website directory or unpack in your local
drive and upload the files to your webserver. (Be careful of not
overwriting any of your files).

4) Create a common header and footer (optional).
If your pages have a common look at the beginning and at the end, you
can save lot of editing the next time you want to change (for
example) the navigation of your site by moving that HTML code to the
header.inc.php and footer.inc.php files. Those files will be included
in all your .php files automatically if you want to. (Those files are
provided with a minimal of code, if you won't use this feature, don't
delete the files nor its content).

5) Integrate the authentication.
Use the provided index.php file as a guide about how to integrate the
authentication script. At the beginning of your .php files, add the
following code (if you want to leverage the common header and
footer):

<?php
session_start();
$slogin_noauthpage = 0;
$slogin_pagetitle = "";
include_once ("slogin_lib.inc.php");
include_once ("header.inc.php");
?>

If you won't use the common footer and header, use this code:

<?php
session_start();
$slogin_noauthpage = 0;
$slogin_pagetitle = "";
include_once ("slogin_lib.inc.php");
?>

And at the ending of your .php files add the following code only if
you want to use the common header and footer:
<?php include_once ("footer.inc.php"); ?>


There are five variables that can be changed per-page:

* slogin_pagetitle: The title string of the page.

* slogin_noauthpage: Use 0 to enable authentication in that page, use
1 to disable authentication.

* slogin_lang: The language of the SiTeFiLo strings to be used for
this page (to apply for all pages, set the global configuration).

* slogin_redirect: The full URL where the user will be sent if login
here (to apply for all pages, set the global configuration).

* slogin_logoutredirect: The full URL where the user will be sent
when logout (to apply for all pages, set the global configuration).

6) Customize the login form (optional).
You can change the way the login form will look by editing the
slogin.inc.php file. The file is mostly HTML, just take care of not
deleting the PHP variables included.

7) Configure.
Edit the slogin_lib.inc.php file to configure your authentication.

* First change the slogin_default_lang variable to "en", "es", "fr"
or "de" to change the login messages to English, Spanish, French or
German. (This setting is a default to be used for the pages that
don't define it).

* Change the slogin_default_pagetitle variable to something like "My
website". (This setting is a default to be used for the pages that
don't define it).

* Then change the slogin_userstxt variable to the name of your users
file. For increased security change the name to something else
(default name is slog_users.txt), for example: "my_friends_data.txt".

* For even more security, enable the use of hashed (encrypted)
passwords changing the slogin_usehashes variable to 1 (this is more
important if you use the text user file).

* If your web server has the PHP function fopen disabled, you can
enable the alternate user php file; just change the
slogin_canusefopen variable to 0 (it is not necessary to rename the
slog_users.php file).

* If you want the users to be redirected to another page once they
login (for example to a welcome page) then set the
slogin_default_redirect variable to the full URL of that page, for
example "http://www.mydomain.com/welcome.php". (This setting is a
default to be used for the pages that don't define it).

* If you want the users to be redirected to another page once they
logout (for example to a goodbye page) then set the
slogin_default_logoutredirect variable to the full URL of that page,
for example "http://www.mydomain.com/goodbye.php". (This setting is a
default to be used for the pages that don't define it).

* If you want the users to be redirected to special page once they
login (for example to a personal welcome page for each user) then set
the slogin_allowuser_redirect variable to 1. This option depends on
the value of the slogin_default_redirect variable. So, for example,
if slogin_default_redirect is set to
"http://www.mydomain.com/private/" then user "mary" will be
redirected to the URL "http://www.mydomain.com/private/mary" when
login, user "john" will be redirected to page
"http://www.mydomain.com/private/john", and so on. Please note that
this only affects the redirection URL, not the permissions. In these
examples, mary can still visit john's page if she wants.

8) Rename the users file.
Change the name of the slogin_users.txt file to the name you
configured in the slogin_userstxt variable. (This is not necessary if
you are using the alternate php user file).

9) Add your users to the users file.
Open the slogin_users.txt file and start adding your users with the
following format:
username, password
username, password
username, password

If you are using the alternate php user file, then open
slogin_users.php and start adding your users with the following
format (watch the incrementing index number!):
$slogin_user[1]="testuser";
$slogin_pass[1]="testpass";
$slogin_user[2]="mario.valdez";
$slogin_pass[2]="qwerty";
$slogin_user[3]="admin";
$slogin_pass[3]="admin";

(We recommend that you use only alphanumeric characters and don't use
more than 100 users).

If you are have enabled the use of hashed (encrypted passwords), the
password stored in the user file should be the MD5 hash. For example,
the MD5 hash of the word admin (which is the default password of the
user admin) is 21232f297a57a5a743894a0e4a801fc3. To generate your own
MD5 hashes you can use slogin_genpass.php script, just enter the
password in plain text, then copy the result to the user password
file. (When finishing the installation, you can generate your own MD5
hashes from the administration script).

10) You are done.
Test your site. Also check the adminlog.php script from where you can
see all logins by date. (The adminlog.php script can only be viewed
by the user named admin).


............................................
  Creating a new website.
............................................

1) Get the files.
Get the files from http://www.mariovaldez.net/software/sitefilo/
(There are zip and tar.gz files available).

2) Unpack.
Extract the files your website directory or unpack in your local
drive and upload the files to your webserver.

3) Create a common header and footer.
If your pages have a coomon look at the beginning and at the end, you
can save lot of editing the next time you want to change (for
example) the navigation of your site by moving that HTML code to the
header.inc.php and footer.inc.php files. Those files will be included
in all your .php files automatically if you want to. (Those files are
provided with a minimal of code).

4) Create the pages.
Use the provided index.php file to create all your pages. Just copy
the index.php file with other name and start writing your HTML code
where it says:
<p>Here goes your content.</p>

There are five variables that can be changed per-page:

* slogin_pagetitle: The title string of the page.

* slogin_noauthpage: Use 0 to enable authentication in that page, use
1 to disable authentication.

* slogin_lang: The language of the SiTeFiLo strings to be used for
this page (to apply for all pages, set the global configuration).

* slogin_redirect: The full URL where the user will be sent if login
here (to apply for all pages, set the global configuration).

* slogin_logoutredirect: The full URL where the user will be sent
when logout (to apply for all pages, set the global configuration).

5) Customize the login form (optional).
You can change the way the login form will look by editing the
slogin.inc.php file. The file is mostly HTML, just take care of not
deleting the PHP variables included.

6) Configure.
Edit the slogin_lib.inc.php file to configure your authentication.

* First change the slogin_default_lang variable to "en", "es", "fr"
or "de" to change the login messages to English, Spanish, French or
German. (This setting is a default to be used for the pages that
don't define it).

* Change the slogin_default_pagetitle variable to something like "My
website". (This setting is a default to be used for the pages that
don't define it).

* Then change the slogin_userstxt variable to the name of your users
file. For increased security change the name to something else
(default name is slog_users.txt), for example: "my_friends_data.txt".

* For even more security, enable the use of hashed (encrypted)
passwords changing the slogin_usehashes variable to 1 (this is more
important if you use the text user file).

* If your web server has the PHP function fopen disabled, you can
enable the alternate user php file; just change the
slogin_canusefopen variable to 0 (it is not necessary to rename the
slog_users.php file).

* If you want the users to be redirected to another page once they
login (for example to a welcome page) then set the
slogin_default_redirect variable to the full URL of that page, for
example "http://www.mydomain.com/welcome.php". (This setting is a
default to be used for the pages that don't define it).

* If you want the users to be redirected to another page once they
logout (for example to a goodbye page) then set the
slogin_default_logoutredirect variable to the full URL of that page,
for example "http://www.mydomain.com/goodbye.php". (This setting is a
default to be used for the pages that don't define it).

* If you want the users to be redirected to special page once they
login (for example to a personal welcome page for each user) then set
the slogin_allowuser_redirect variable to 1. This option depends on
the value of the slogin_default_redirect variable. So, for example,
if slogin_default_redirect is set to
"http://www.mydomain.com/private/" then user "mary" will be
redirected to the URL "http://www.mydomain.com/private/mary" when
login, user "john" will be redirected to page
"http://www.mydomain.com/private/john", and so on. Please note that
this only affects the redirection URL, not the permissions. In these
examples, mary can still visit john's page if she wants.

7) Rename the users file.
Change the name of the slogin_users.txt file to the name you
configured in the slogin_userstxt variable. (This is not necessary if
you are using the alternate php user file).

8) Add your users to the users file.
Open the slogin_users.txt file and start adding your users with the
following format:
username, password
username, password
username, password

If you are using the alternate php user file, then open
slogin_users.php and start adding your users with the following
format (watch the incrementing index number!):
$slogin_user[1]="testuser";
$slogin_pass[1]="testpass";
$slogin_user[2]="mario.valdez";
$slogin_pass[2]="qwerty";
$slogin_user[3]="admin";
$slogin_pass[3]="admin";

(We recommend that you use only alphanumeric characters and don't use
more than 100 users).

If you are have enabled the use of hashed (encrypted passwords), the
password stored in the user file should be the MD5 hash. For example,
the MD5 hash of the word admin (which is the default password of the
user admin) is 21232f297a57a5a743894a0e4a801fc3. To generate your own
MD5 hashes you can use slogin_genpass.php script, just enter the
password in plain text, then copy the result to the user password
file. (When finishing the installation, you can generate your own MD5
hashes from the administration script).

9) You are done.
Test your site. Also check the adminlog.php script from where you can
see all logins by date. (The adminlog.php script can only be viewed
by the user named admin).


=========================================
* Upgrading
  the Simple Text-File Login script.

............................................
  Upgrading from an older version.
............................................

NOTE: the support for the optional variable slogin_path
has been removed as it may cause a security vulnerability if
you don't set the variable in your pages AND the server has
the PHP option register_globals enabled AND the PHP option
allow_url_include is enabled. 

1) Get the files.
Get the files from http://www.mariovaldez.net/software/sitefilo/
(There are zip and tar.gz files available).

2) Unpack.
Extract the files your website directory or unpack in your local
drive. Only upload the following files to your webserver:
adminlog.php, slogin_lib.inc.php and (optionally) slogin_genpass.php.

3) Configure.
Edit the slogin_lib.inc.php file to configure your authentication.

* Change the slogin_default_lang variable to "en", "es", "fr"
or "de" to change the login messages to English, Spanish, French or
German. (This setting is a default to be used for the pages that
don't define it).

* Change the slogin_default_pagetitle variable to something like "My
website". (This setting is a default to be used for the pages that
don't define it).

* Then change the slogin_userstxt variable to the name of your users
file. For increased security change the name to something else
(default name is slog_users.txt), for example: "my_friends_data.txt".

* For even more security, enable the use of hashed (encrypted)
passwords changing the slogin_usehashes variable to 1 (this is more
important if you use the text user file).

* If your web server has the PHP function fopen disabled, you can
enable the alternate user php file; just change the
slogin_canusefopen variable to 0 (it is not necessary to rename the
slog_users.php file).

* If you want the users to be redirected to another page once they
login (for example to a welcome page) then set the
slogin_default_redirect variable to the full URL of that page, for
example "http://www.mydomain.com/welcome.php". (This setting is a
default to be used for the pages that don't define it).

* If you want the users to be redirected to another page once they
logout (for example to a goodbye page) then set the
slogin_default_logoutredirect variable to the full URL of that page,
for example "http://www.mydomain.com/goodbye.php". (This setting is a
default to be used for the pages that don't define it).

* If you want the users to be redirected to special page once they
login (for example to a personal welcome page for each user) then set
the slogin_allowuser_redirect variable to 1. This option depends on
the value of the slogin_default_redirect variable. So, for example,
if slogin_default_redirect is set to
"http://www.mydomain.com/private/" then user "mary" will be
redirected to the URL "http://www.mydomain.com/private/mary" when
login, user "john" will be redirected to page
"http://www.mydomain.com/private/john", and so on. Please note that
this only affects the redirection URL, not the permissions. In these
examples, mary can still visit john's page if she wants.

4) You are done.
Test your site. Also check the adminlog.php script from where you can
see all logins by date. (The adminlog.php script can only be viewed
by the user named admin).




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYvcTNAAoJEL01TJa9jiAVuhIP+QHoqGMfcP8x2AWcsywoQsh4
hNeMemBWWik6wY/IwunE2k4bx+Xc4aDT8XWqKswXssX9K+ZC0FAc/aGDUvS+1RGe
oo3jtn7bT195M5ux9tRddrMhLivCF9wlrihnC2HhLg0l5/MGcAHFAeU0/xWvdNWd
oGyRWzjsbNgoDzAVPcKszAwO+iqRL+3E+H9Aua7GpHDYE4v1pmS4kwFjMYGLtMTH
lRDEE/zn893SWxaMot1uvoy9zhobCvvuP0RjsCqE9J9lazsiBnwOe2nHKBMUzx34
Md0z0s83a3zAKM6BT0ERsz0evIVHYBPYbvGJ/Us5b7AQ+LeAwN0M+X0A8cYruJw9
MSTXW+RNh97Wd4NDuXW0InCf7NwM8AcwDTXEaBdHI4WozsqgQK2reg1GHuXN/X1V
9WEq5cqqSV4Ck6Y+a3P5QSS/Efno6znM8QiR4JcbVvZZFchnTPKiiNvOxAoQ2szB
8kwEA+D8A5Ze3EOHJGIcm08MyE0R5yDDlzS8BR0+FZIwgSQZc47KqNl9mRTiOOcM
CgGE+mZY+CZ2pjFlfVqanm15Sj13QRJrYPGFazWLjKk18yuZlOoZCxncZkKUc5FG
sOhEL+FWAQeTITouh6mO5d+mkVCyBNWJnh1g+dszetbef8+Wi70pK0L9CnS+SGKK
KHlTHGVLB89p+Lhsvun1
=9Mjr
-----END PGP SIGNATURE-----